Request a demo
ACT now

blog

Latest Security Vulnerability of the Week 3/10/22 – Application Security – Cloud – Vulnerability – Exchange Zero Day & Mitigations, bitbucket, cobalt stike

Latest Security Vulnerability of the Week 3/10/22 - Application Security - Cloud Security - Infrastructure Security - cobaltstrike microsoft excahnge vulnerability bitbucket vulnerability

Previous Issues of vulnerability Weekly

This week we deep dive into Exchange zero-day and large-scale exploit, cobalt strike, bitbucket.

INFRA/Network

Two new Microsoft Exchange zero-days exploited in the wild from Chinese ATP

On September 30th two vulnerabilities have been discovered in a large attack.

On September 29 a Vietnamese researcher warned the ATP was targeting exchange servers with RCE directly on the system.

As RCE is a category of devastating attacks as they allow an attacker to further deploy payloads and additional exploits. 

GTSC suspects that a Chinese threat group is responsible for the attacks based on the web shells’ code page, a Microsoft character encoding for simplified Chinese.

“The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,” the researchers said.

The researchers reported the security vulnerabilities to Microsoft privately three weeks ago through the Zero Day Initiative, which tracks them as ZDI-CAN-18333 and ZDI-CAN-18802 after its analysts validated the issues.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the two Microsoft Exchange Server zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, requiring federal agencies to apply the patches by October 21, 2022.

Microsoft issued the statement: 

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Microsoft has recently published.  

CVE-2022-41040 

CVE-2022-41082

Mitigation: 

Alert as highly exploitable (especially 41040). The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns

On-premises exchange:

“The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.”

To apply the mitigation to vulnerable servers, you will need to go through the following steps:

  1. Open the IIS Manager.
  2. Expand the Default Web Site.
  3. Select Autodiscover.
  4. In the Feature View, click URL Rewrite.
  5. In the Actions pane on the right-hand side, click Add Rules.
  6. Select Request Blocking and click OK.
  7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
  8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
  9. Change the condition input from {URL} to {REQUEST_URI}

Since the threat actors can also gain access to PowerShell Remoting on exposed and vulnerable Exchange servers for remote code execution via CVE-2022-41082 exploitation, Microsoft also advises admins to block the following Remote PowerShell ports to hinder the attacks:

  • HTTP: 5985
  • HTTPS: 5986

On-premises exchange follow the recommendations: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ 

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. https://aka.ms/EOMTv2 

Currently, there are 318,382  server exposed with exchange running

At the time of attack USA, Japan, and UK/Germany were the targets of ATP coming from China

CVE-2022-41040, is a Server-Side Request Forgery (SSRF) – 

A vulnerability has been found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This vulnerability affects an unknown part. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for vulnerability is CWE-918. The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. As an impact, it is known to affect confidentiality, integrity, and availability.

The weakness was published 09/30/2022. The advisory is available at msrc-blog.microsoft.com. This vulnerability was named CVE-2022-41040. Technical details are unknown but an exploit is available. 

The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation from vulndb) even tough exploit was developed by 

It is declared as highly functional.

It is possible to mitigate the problem by applying the configuration setting.

Why EPSS alone was not active – EPSS currently is scoring vulnerabilities at 0.0 (data still needs to be retrieved)

CTI information gives a range from 8 to now 5 after successful mitigation

CVE-2022-41082– Microsoft Advisory

Currently actively exploited in the wild with persistance – exploit is less active than CVE-2022-41040,

A vulnerability was found in Microsoft Exchange Server 2013/2016/2019 and classified as critical. This issue affects an unknown code of the component PowerShell Handler. Impacted are confidentiality, integrity, and availability.

The weakness was released on 09/30/2022. It is possible to read the advisory at msrc-blog.microsoft.com. The identification of this vulnerability is CVE-2022-41082. Technical details are unknown, but an exploit is available. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation from vulndb).

BitBucket Server vulnerability hack CISA warns agencies. 

U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed critical flaw impacting Atlassian’s Bitbucket Server and Data Center to the Known Exploited Vulnerabilities (KEV) catalogue, citing evidence of active exploitation.

CVE-2022-36804, the issue relates to a command injection vulnerability that could allow malicious actors to gain arbitrary code execution on susceptible installations by sending a specially crafted HTTP request.

“All versions of Bitbucket Server and Datacenter released after 6.10.17 including 7.0.0 and newer are affected; this means that all instances running any versions between 7.0.0 and 8.3.0 inclusive are affected by this vulnerability,” Atlassian noted in a late August 2022 advisory.

The shortcoming discovered and reported by security researcher @TheGrandPew impacts all versions of Bitbucket Server and Datacenter released after 6.10.17, inclusive of 7.0.0 and newer –

  • Bitbucket Server and Datacenter 7.6
  • Bitbucket Server and Datacenter 7.17
  • Bitbucket Server and Datacenter 7.21
  • Bitbucket Server and Datacenter 8.0
  • Bitbucket Server and Datacenter 8.1
  • Bitbucket Server and Datacenter 8.2, and
  • Bitbucket Server and Datacenter 8.3

“An attacker with access to a public Bitbucket repository or with read permissions to a private one can execute arbitrary code by sending a malicious HTTP request,” Atlassian said in an advisory.

Currently, there are 166 Publicly exposed bitbuckets. Exposing Bitbucket is not recommended. 

https://www.shodan.io/search?query=bitbucket

Cobalt Strike beacon disguised as job advert.

Cobalt Strike | Adversary Simulation and Red Team Operations

The renowned attack platform cobalt strike has been targeted by attackers with a malware campaign distributed by documents and disguised as job advertisements.

Several exploits in the wild with Remote Code Execution 

“The payload discovered is a leaked version of a Cobalt Strike beacon,” Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said in a new Wednesday analysis.

Together with this attack Cobalt strike was found with a vulnerability. 

Official Registration as medium CVSS score for CVE-2022-39197 

An XSS (Cross Site Scripting) vulnerability was found in HelpSystems Cobalt Strike through 4.7, allowing a remote attacker to execute HTML on the Cobalt Strike team server. To exploit the vulnerability, one must first inspect a Cobalt Strike payload and then modify the username field in the payload (or create a new payload with the extracted information and then modify that username field to be malformed).

The entry vector for the attack is a phishing email containing a Microsoft Word attachment that employs job-themed lures for roles in the U.S. government and Public Service Association, a trade union based in New Zealand.

Cobalt Strike Beacons
Cobalt Strike Beacons

“This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim’s system memory,” the researchers said.

“Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker’s attempts in the earlier stage of the attack’s infection chain.”

Official Statement from HelpSystem maintainer of Cobalt stike

An independent researcher identified as “Beichendream” contacted us about an XSS vulnerability they discovered in the team server. This would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely. We created a CVE for this issue which has been fixed.

Official advisory: https://www.cobaltstrike.com/blog/out-of-band-update-cobalt-strike-4-7-1/ 

As several exploit attempts of the platform, avoids using or exposing cobalt strike software.

Also be wary of any attachment or report  

Currently, there are 1949 cobalt strike exposed system recorded in shodan 

Previous Issues of vulnerability Weekly

Francesco Cipollone

Francesco Cipollone

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.
2nd October 2022
Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

Join Slack community
Linkedin-in Youtube Facebook-f Twitter Instagram

From our Blog

what is cisa kev
  • 15th March 2023

What is CISA KEV Known Exploited Vulnerability, and how to use it in prioritization?

Application security programs are vast and complicated; there are many methods to attack the problem, and Chris Romeo is an expert on the topic. Chris Romeo is a leading voice and thinker in application security, threat modelling, security champions, and the CEO of Kerr Ventures
Francesco Cipollone
AppSec Phoenix February Release
  • 28th February 2023

New Features – February 2023

New Details and metadata on assets and vulnerabilities, improved SLA, Updated risk formula, Added domain in the contextual rules, Outbound asset API (preview) Security update on libraries
Alfonso Eusebio

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO